Create Pages-security-compliance.md (#2525)

cloud-gov · Jul 31, 2024 · f0bbe8e · f0bbe8e
1 parent dae8824
commit f0bbe8e
Show file tree

Hide file tree

Showing 4 changed files with 100 additions and 12 deletions.
diff --git a/_data/pages/navigation.yml b/_data/pages/navigation.yml
@@ -50,8 +50,8 @@ sidenav:
         href: /pages/documentation/access-permissions/
       - text: Adding a user to an Organization
         href: /pages/documentation/adding-users/
-      - text: Customer responsibilities
-        href: /pages/documentation/customer-responsibilities/
+      - text: Before you launch
+        href: /pages/documentation/before-you-launch/
       - text: Getting started with a sandbox
         href: /pages/documentation/sandbox/
       - text: "21st Century IDEA"
@@ -66,8 +66,6 @@ sidenav:
         href: /pages/documentation/previews/
       - text: Custom domains
         href: /pages/documentation/custom-domains/
-      - text: Before you launch
-        href: /pages/documentation/before-you-launch/
       - text: Migration guide
         href: /pages/documentation/migration-guide/
       - text: Adding forms
@@ -86,6 +84,15 @@ sidenav:
         href: /pages/documentation/custom-headers/
       - text: Federalist.json
         href: /pages/documentation/federalist-json/
+  - text: For security and compliance
+    href: /pages/documentation/
+    subfolderitems:
+      - text: Security and Compliance
+        href: /pages/documentation/security-and-compliance
+      - text: Customer responsibilities
+        href: /pages/documentation/customer-responsibilities/
+      - text: FedRAMP Tracker
+        href: /docs/overview/fedramp-tracker/
       - text: Build Scans
         href: /pages/documentation/build-scans/
   - text: For developers

diff --git a/_docs/overview/fedramp-tracker.md b/_docs/overview/fedramp-tracker.md
@@ -42,18 +42,20 @@ Here's an example of a control breakdown for a simple moderate-impact system hos
 
 We publish two CIS/CRM documents, one for the Paas/Platform service and one for the Pages service:
 
+#### Cloud.gov Platform
+
 * [cloud.gov PaaS CIS Worksheet]({{ site.baseurl }}/resources/cloud.gov-CIS-Worksheet.xlsx) summarizes each Low and Moderate security control and whether it is handled by cloud.gov (inheritable), a shared responsibility, or a customer responsibility. It includes guidance on which controls a customer on the Platform can fully or partially inherit from cloud.gov.
   * Last Update: 2023-03-17 - Updated front matter
-* [cloud.gov Pages CIS Worksheet]({{ site.baseurl }}/resources/cloud.gov-Pages-CIS-and-CRM-Workbook.xlsx) summarizes each Low and Moderate security control and whether it is handled by cloud.gov (inheritable), a shared responsibility, or a customer responsibility. It includes guidance on which controls a customer on Pages can fully or partially inherit from cloud.gov.
-  * Updated: 2022-11-15 - First published CIS/CRM for cloud.gov Pages
-  * Updated: 2024-04-09 
-    * Updated the date of change to the CIS/CRM.
-    * The CIS/CRM has been updated and revised using the latest FedRAMP rev5 template including Low and 
-Moderate controls. The CRM focuses on the consideration of cloud.gov Pages static website customers.
-
-
 
+#### Cloud.gov Pages
 
+* The updated CIS/CRM documents using FedRAMP rev5 templates has been uploaded to [connect.gov](https://www.connect.gov/). To download the documents, please complete the FedRAMP Package Access Request Form and follow your agency’s access approval process.
+  * Updated: 2024-07-30 - Updated language to use new process for obtaining documentation through connect.gov
+  * Updated: 2024-04-09
+    * Updated the date of change to the CIS/CRM.
+    * The CIS/CRM has been updated and revised using the latest FedRAMP rev5 template including Low and
+Moderate controls. The CRM focuses on the consideration of cloud.gov Pages static website customers.
+  * Updated: 2022-11-15 - First published CIS/CRM for cloud.gov Pages
 
 ## Start the ATO process
 

diff --git a/_pages/pages/documentation/Pages-security-compliance.md b/_pages/pages/documentation/Pages-security-compliance.md
@@ -0,0 +1,79 @@
+---
+title: Pages Security and Compliance
+permalink: /pages/documentation/security-and-compliance/
+layout: docs
+navigation: pages
+sidenav: pages-documentation
+---
+
+## Pages security and compliance documentation
+
+The Federalist Authority to Operate (ATO) expired on February 28, 2024.
+All Federalist sites, including non-GSA websites, have transitioned from the Federalist ATO to the cloud.gov Pages security boundary.
+Sites will remain active under an agreement while the site owner compiles the Authority to Use (ATU) documentation.
+
+## What is an Authority to Use (ATU)?
+
+An ATU defines the process for documenting, reviewing, and approving the security and compliance status of sites requesting onboarding to the cloud.gov Pages platform.
+The ATU package is a consolidated document containing detailed security and compliance information for government low-impact information resources.
+
+## Cloud.gov Pages ATU
+
+The Pages team has created an ATU process and established a partnership with the Technology Transformation Services Center of Excellence (CoE) to assist non-GSA agencies in navigating and gathering ATU documentation. **The process includes the following templates and documents which are available upon request via this email: [Pages Support](mailto:[email protected]).**
+
+- Templates
+  - Authority to Use main template
+  - Privacy Threshold Analysis (PTA)
+  - Contingency Plan (CP)
+  - Configuration Management Plan (CMP)
+  - Incident Response Plan (IRP)
+  - Control guide for non-GSA websites
+  - Authority to Use letter **[This is a SAMPLE ONLY]**
+- ATU checklist
+- Pages CIS/CRM
+- Agency-specific requirements
+- ATU process flow
+
+## Benefits of using the Pages ATU package
+
+By leveraging cloud.gov Pages, government agencies benefit from a highly secure and compliant website hosting solution. The platform's adherence to federal security standards and its robust security features, high availability, centralized security management, and support from security experts and engineers make it an ideal choice for hosting government websites.
+The cloud.gov Pages ATU provides:
+
+- Streamlined compliance: Simplifies the compliance process for non-GSA agencies.
+- Consolidated documentation: Provides all necessary security and compliance details in one place.
+- Expert assistance: Partnership with CoE ensures expert guidance throughout the ATU process.
+- Ongoing support: Continuous support from the cloud.gov Pages team to maintain compliance.
+
+This focus on security and compliance helps agencies protect their data, meet regulatory requirements, and ensure the integrity and availability of their digital services.
+
+## ATU process flow
+
+The ATU process flow is determined by if you would like guided ATU support or would like to self-complete the ATU process.
+
+The process is outlined below. Here is where you can see a chart illustrating the process: [Authority to Use - Process Flow.pptx](https://github.com/user-attachments/files/16364072/Authority.to.Use.-.Process.Flow.pptx)
+
+Both the guided ATU support process and the ATU self-completion process begin with initiating a request for service to the Cloud.gov Pages team.
+
+## Guided ATU support process
+
+If you opt for guided ATU support, your request will be directed to the Centers of Excellence (CoE). The CoE will review the initial request and consult the Pages team to ensure the request aligns with ATU requirements.
+
+Once ATU requirement alignment has been determined, you will complete the required documentation under CoE guidance. Cg-Pages DevOps will engage with you to onboard you to the Pages application. The CoE team, along with cg-Pages Compliance, will conduct a final review of your documentation.
+
+If the documentation meets your agency’s requirements (agency ISSO/ISSM or FedRAMP), the site owner will sign the ATU document and ATU letter ISSO/ISSM and move the ATU letter forward to obtain the rest of the signature requests.
+
+Prior to operational deployment, all websites must receive written authorization through the ATU process.
+
+Once written authorization is received, the Cg-Pages DevOps team will collaborate with you to deploy the live site.
+
+## ATU self-completion process
+
+If you are opting to self-complete the ATU process, you may leverage either the non-GSA ATU process (without the assistance of the CoE team, as outlined above) or follow your agency-specific ATO/ATU process.
+
+Prior to operational deployment, all websites must receive written authorization through the ATU process.
+
+## Cloud.gov Pages contact information
+
+Need help with an existing Pages account? Contact the support team at [email protected].
+
+Interested in getting started with Pages? Contact the business team at [email protected].
diff --git a/resources/cloud.gov-Pages-CIS-and-CRM-Workbook.xlsx b/resources/cloud.gov-Pages-CIS-and-CRM-Workbook.xlsx